US12107831B2ActiveUtilityA1
Automated fuzzy hash based signature collecting system for malware detection
Est. expirySep 10, 2041(~15.2 yrs left)· nominal 20-yr term from priority
H04L 63/1416H04L 63/1425H04L 63/0245H04L 63/145H04L 63/0263
79
PatentIndex Score
1
Cited by
17
References
19
Claims
Abstract
Automated fuzzy hash based signature collection is disclosed. A set of candidate fuzzy hashes corresponding to a set of false negative samples is received. A false positive reduction analysis is performed on the received set of candidate fuzzy hashes to generate a reduced set of fuzzy hashes. At least a portion of the reduced set of fuzzy hashes is clustered into a fuzzy hash cluster. A signature for a family of malware is generated based at least in part on the fuzzy hash cluster.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1. A system, comprising:
a processor configured to:
receive a set of candidate fuzzy hashes corresponding to a set of false negative samples;
perform a false positive reduction analysis on the received set of candidate fuzzy hashes to generate a reduced set of fuzzy hashes;
cluster, by a progressive clustering module, at least a portion of the reduced set of fuzzy hashes into a fuzzy hash cluster, wherein the progressive clustering module also considers, during the clustering, a set of previously identified false negatives, wherein the set of previously identified false negatives: (1) previously survived false positive filtering, (2) were previously evaluated by the progressive clustering module, and (3) were not selected for signature generation; and
generate a signature for a family of malware based at least in part on the fuzzy hash cluster; and
a memory coupled to the processor and configured to provide the processor with instructions.
2. The system of claim 1 , wherein the processor is further configured to filter out at least one fuzzy hash cluster based at least in part on a similarity match with an existing signature.
3. The system of claim 1 , wherein performing the false positive reduction analysis includes performing a pairwise comparison between a candidate fuzzy hash included in the set of candidate fuzzy hashes and a fuzzy hash of a known benign sample.
4. The system of claim 1 , wherein performing the false positive reduction analysis includes removing from consideration a fuzzy hash of a sample that is an infections virus.
5. The system of claim 1 , wherein generating the signature includes selecting a representative fuzzy hash from the fuzzy hash cluster.
6. The system of claim 1 , wherein generating the signature includes comparing the signature against a store of existing signatures.
7. The system of claim 1 , wherein the generated signature is usable by a data appliance to determine whether a file is malicious.
8. The system of claim 1 , wherein the processor is further configured to use the generated signature to detect a new malware family.
9. A method, comprising:
receiving a set of candidate fuzzy hashes corresponding to a set of false negative samples;
performing a false positive reduction analysis on the received set of candidate fuzzy hashes to generate a reduced set of fuzzy hashes;
clustering, by a progressive clustering module, at least a portion of the reduced set of fuzzy hashes into a fuzzy hash cluster, wherein the progressive clustering module also considers, during the clustering, a set of previously identified false negatives, wherein the set of previously identified false negatives: (1) previously survived false positive filtering, (2) were previously evaluated by the progressive clustering module, and (3) were not selected for signature generation; and
generating a signature for a family of malware based at least in part on the fuzzy hash cluster.
10. The method of claim 9 , further comprising filtering out at least one fuzzy hash cluster based at least in part on a similarity match with an existing signature.
11. The method of claim 9 , wherein performing the false positive reduction analysis includes performing a pairwise comparison between a candidate fuzzy hash included in the set of candidate fuzzy hashes and a fuzzy hash of a known benign sample.
12. The method of claim 9 , wherein performing the false positive reduction analysis includes removing from consideration a fuzzy hash of a sample that is an infections virus.
13. The method of claim 9 , wherein generating the signature includes selecting a representative fuzzy hash from the fuzzy hash cluster.
14. The method of claim 9 , wherein generating the signature includes comparing the signature against a store of existing signatures.
15. The method of claim 9 , wherein the generated signature is usable by a data appliance to determine whether a file is malicious.
16. The method of claim 9 , further comprising using the generated signature to detect a new malware family.
17. A computer program product embodied in a non-transitory computer readable storage medium and comprising computer instructions for:
receiving a set of candidate fuzzy hashes corresponding to a set of false negative samples;
performing a false positive reduction analysis on the received set of candidate fuzzy hashes to generate a reduced set of fuzzy hashes;
clustering, by a progressive clustering module, at least a portion of the reduced set of fuzzy hashes into a fuzzy hash cluster, wherein the progressive clustering module also considers during the clustering, a set of previously identified false negatives, wherein the set of previously identified false negatives: (1) previously survived false positive filtering, (2) were previously evaluated by the progressive clustering module, and (3) were not selected for signature generation; and
generating a signature for a family of malware based at least in part on the fuzzy hash cluster.
18. The computer program product of claim 17 , further comprising computer instructions for filtering out at least one fuzzy hash cluster based at least in part on a similarity match with an existing signature.
19. The computer program product of claim 17 , further comprising computer instructions for using the generated signature to detect a new malware family.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.